[20658] in bugtraq
RE: Windows 2000 .printer remote overflow proof of concept exploit....
daemon@ATHENA.MIT.EDU (Christopher Gerg)
Wed May 16 07:54:55 2001
Reply-To: <gerg@berbee.com>
From: "Christopher Gerg" <gerg@berbee.com>
To: <BUGTRAQ@securityfocus.com>
Date: Tue, 15 May 2001 08:08:02 -0500
Message-ID: <DNEHLJJDBKMCABNOEHHBOEJICNAA.gerg@berbee.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
In-Reply-To: <5.0.0.25.2.20010511105942.00ae9918@s01.bevelander.nl>
That root.exe sploit is actually the Solaris sadmind/ IIS Unicode worm.
I've been on several incident responses at client sites and have seen it.
It zombifies a Solaris box using the sadmind exploit (shame on them) and
then scans a range of addresses for IIS b0x3n that are vulnerable to the
Unicode exploit (again, shame!). It copies cmd.exe to the scripts directory
and runs a search and change for index.htm index.asp default.htm and
index.asp and changes them to an anti -USA government (and anti spiderbox)
message.
Christopher Gerg
Network Security Engineer
Berbee
608.298.1116
Page: 608.376.4658
Email: gerg@berbee.com
Fax: 608.288.3007
Berbee...putting the E in business
-----Original Message-----
From: Joshua Dodds [mailto:jdodds@bevelander.nl]
Sent: Friday, May 11, 2001 4:05 AM
To: BUGTRAQ@securityfocus.com
Subject: Re: Windows 2000 .printer remote overflow proof of concept
exploit....
>
>It's out there. I've seen logs indicating the attacker put a "root.exe"
file
>on the IIS5 host and then were able to issue a command to run this file via
>the overflow. I don't have any more specific information on the contents of
>the root.exe file or the exact script used, etc. at this time.
root.exe is just cmd.exe copied to root.exe! doh!
-jd
